Rev 182 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 182 | Rev 183 | ||
|---|---|---|---|
| Line 32... | Line 32... | ||
| 32 | \label{introduction} |
32 | \label{introduction} |
| 33 | Operating systems (OSes for short) have a somewhat special position among all software. |
33 | Operating systems (OSes for short) have a somewhat special position among all software. |
| 34 | OSes are usually designed to run on bare hardware. This means that they do not require |
34 | OSes are usually designed to run on bare hardware. This means that they do not require |
| 35 | any special assumptions on the environment except the assumptions on the properties and |
35 | any special assumptions on the environment except the assumptions on the properties and |
| 36 | behavior of hardware. In many cases it is perfectly valid to consider the hardware |
36 | behavior of hardware. In many cases it is perfectly valid to consider the hardware |
| 37 | as \emph{idealized hardware} (zero mathematical probability of failure, perfect compiance |
37 | as \emph{idealized hardware} (zero mathematical probability of failure, perfect compliance |
| 38 | with the specifications, etc.). This means that it is solely the OS that defines the |
38 | with the specifications, etc.). This means that it is solely the OS that defines the |
| 39 | environment for other software. |
39 | environment for other software. |
| 40 | |
40 | |
| 41 | OSes represent the lowest software layer and provide services to essentially all other |
41 | OSes represent the lowest software layer and provide services to essentially all other |
| 42 | software. Considering the principle of recursion, the properties of an OS form the |
42 | software. Considering the principle of recursion, the properties of an OS form the |
| Line 64... | Line 64... | ||
| 64 | segmentation of the desktop and server OSes market is going to change very rapidly |
64 | segmentation of the desktop and server OSes market is going to change very rapidly |
| 65 | in the near future. |
65 | in the near future. |
| 66 | |
66 | |
| 67 | The architecture of these major desktop and server OSes is monolithic, which makes |
67 | The architecture of these major desktop and server OSes is monolithic, which makes |
| 68 | any attempts to do formal verification on them extremely challenging due to the large |
68 | any attempts to do formal verification on them extremely challenging due to the large |
| 69 | state space. Fortunatelly we can observe that aspects of several novel approaches from |
69 | state space. Fortunately we can observe that aspects of several novel approaches from |
| 70 | the OS research from the late 1980s and early 1990s (microkernel design, user space |
70 | the OS research from the late 1980s and early 1990s (microkernel design, user space |
| 71 | file system and device drivers, etc.) are slowly emerging in these originally purely |
71 | file system and device drivers, etc.) are slowly emerging in these originally purely |
| 72 | monolithic implementations. |
72 | monolithic implementations. |
| 73 | |
73 | |
| 74 | \medskip |
74 | \medskip |
| Line 78... | Line 78... | ||
| 78 | specifically with formal verification in mind. These design choices can be gradually |
78 | specifically with formal verification in mind. These design choices can be gradually |
| 79 | introduced (and in fact some of them have already been introduced) to mainstream |
79 | introduced (and in fact some of them have already been introduced) to mainstream |
| 80 | general-purpose OSes. |
80 | general-purpose OSes. |
| 81 | |
81 | |
| 82 | Our approach is not based on using a single ``silver-bullet'' formalism, methodology or |
82 | Our approach is not based on using a single ``silver-bullet'' formalism, methodology or |
| 83 | tool, but on combining various enginering, semi-formal and formal approaches. |
83 | tool, but on combining various engineering, semi-formal and formal approaches. |
| 84 | While the lesser formal approaches give lesser guarantees, they can complement |
84 | While the lesser formal approaches give lesser guarantees, they can complement |
| 85 | the formal approaches on their boundaries and increase the coverage of the set of |
85 | the formal approaches on their boundaries and increase the coverage of the set of |
| 86 | all hypothetical interesting properties of the system. |
86 | all hypothetical interesting properties of the system. |
| 87 | |
87 | |
| 88 | We also demonstrate work-in-progress case study of an general-purpose research OS |
88 | We also demonstrate work-in-progress case study of an general-purpose research OS |
| Line 257... | Line 257... | ||
| 257 | \label{fig:diag} |
257 | \label{fig:diag} |
| 258 | \end{center} |
258 | \end{center} |
| 259 | \end{figure} |
259 | \end{figure} |
| 260 | |
260 | |
| 261 | In this section, we analyze the properties we would like to check in a general-purpose |
261 | In this section, we analyze the properties we would like to check in a general-purpose |
| 262 | operating system. Each set of properties usually requires a specific verification method, |
262 | OS. Each set of properties usually requires a specific verification method, tool or toolchain. |
| 263 | tool or toolchain. |
- | |
| 264 | |
263 | |
| 265 | Our approach will be mostly bottom-up, or, in other words, from the lower levels of abstraction |
264 | Our approach will be mostly bottom-up, or, in other words, from the lower levels of abstraction |
| 266 | to the higher levels of abstraction. If the verification fails on a lower level, it usually |
265 | to the higher levels of abstraction. If the verification fails on a lower level, it usually |
| 267 | does not make much sense to continue with the higher levels of abstraction until the issues |
266 | does not make much sense to continue with the higher levels of abstraction until the issues |
| 268 | are tackled. A structured overview of the formalisms, methods and tools can be seen on |
267 | are tackled. A structured overview of the formalisms, methods and tools can be seen on |
| Line 280... | Line 279... | ||
| 280 | this set). |
279 | this set). |
| 281 | |
280 | |
| 282 | \medskip |
281 | \medskip |
| 283 | |
282 | |
| 284 | Please note that the titles of the following sections do not follow any particular established |
283 | Please note that the titles of the following sections do not follow any particular established |
| 285 | taxonomy. We have simply chosen the names to be intuitivelly descriptive. |
284 | taxonomy. We have simply chosen the names to be intuitively descriptive. |
| 286 | |
285 | |
| 287 | \subsection{C Language Compiler and Continuous Integration Tool} |
286 | \subsection{C Language Compiler and Continuous Integration Tool} |
| 288 | \label{clang} |
287 | \label{clang} |
| 289 | The initial levels of abstraction do not go far from the C source code and common engineering |
288 | The initial levels of abstraction do not go far from the C source code and common engineering |
| 290 | approaches. First, we would certainly like to know whether our code base is compliant with the |
289 | approaches. First, we would certainly like to know whether our code base is compliant with the |
| Line 412... | Line 411... | ||
| 412 | There is one key difference between a static analyzer and a static verifier: Static verifiers |
411 | There is one key difference between a static analyzer and a static verifier: Static verifiers |
| 413 | allow the user to specify one's own properties, in terms of preconditions, postconditions and |
412 | allow the user to specify one's own properties, in terms of preconditions, postconditions and |
| 414 | invariants in the code. Many static verifiers also target true multithreaded usage patterns |
413 | invariants in the code. Many static verifiers also target true multithreaded usage patterns |
| 415 | and have the capability to check proper locking order, hand-over-hand locking and even liveliness. |
414 | and have the capability to check proper locking order, hand-over-hand locking and even liveliness. |
| 416 | |
415 | |
| 417 | In the context of an operating system kernel and core libraries two kinds of properties are |
416 | In the context of an OS kernel and core libraries two kinds of properties are common: |
| 418 | common: |
- | |
| 419 | |
417 | |
| 420 | \begin{description} |
418 | \begin{description} |
| 421 | \item[Consistency constrains] These properties define the correct way how data is supposed |
419 | \item[Consistency constrains] These properties define the correct way how data is supposed |
| 422 | to be manipulated by some related set of subroutines. Checking for these |
420 | to be manipulated by some related set of subroutines. Checking for these |
| 423 | properties ensures that data structures and internal states will not get corrupt due |
421 | properties ensures that data structures and internal states will not get corrupt due |
| Line 429... | Line 427... | ||
| 429 | \end{description} |
427 | \end{description} |
| 430 | |
428 | |
| 431 | \subsection{Model Checker} |
429 | \subsection{Model Checker} |
| 432 | \label{modelcheck} |
430 | \label{modelcheck} |
| 433 | On the first sight it does not seem to be reasonable to consider general model checkers as |
431 | On the first sight it does not seem to be reasonable to consider general model checkers as |
| 434 | relevant independent tools for formal verification of an existing operating system. While many |
432 | relevant independent tools for formal verification of an existing OS. While many different |
| 435 | different tools use model checkers as their backends, verifying a complete model of the entire |
433 | tools use model checkers as their backends, verifying a complete model of the entire |
| 436 | system created by hand seems to be infeasible both in the sense of time required for the model |
434 | system created by hand seems to be infeasible both in the sense of time required for the model |
| 437 | creation and resources required by the checker to finish the exhaustive traversal of the model's |
435 | creation and resources required by the checker to finish the exhaustive traversal of the model's |
| 438 | address space. |
436 | address space. |
| 439 | |
437 | |
| 440 | Nevertheless, model checkers on their own can still serve a good job verifying abstract |
438 | Nevertheless, model checkers on their own can still serve a good job verifying abstract |
| Line 461... | Line 459... | ||
| 461 | interfaces), composite components (an architectural compositions of primitive components) and the |
459 | interfaces), composite components (an architectural compositions of primitive components) and the |
| 462 | bindings between the respective interfaces of the components. |
460 | bindings between the respective interfaces of the components. |
| 463 | |
461 | |
| 464 | It is extremely important to define the right role of the behavior and architecture description. |
462 | It is extremely important to define the right role of the behavior and architecture description. |
| 465 | A flawed approach would be to reverse-engineer this description from the source code (either manually |
463 | A flawed approach would be to reverse-engineer this description from the source code (either manually |
| 466 | or via some sophisticated tool) and then verify the compliance between the desciption and |
464 | or via some sophisticated tool) and then verify the compliance between the description and |
| 467 | the implementation. However, different directions can give more interesting results: |
465 | the implementation. However, different directions can give more interesting results: |
| 468 | |
466 | |
| 469 | \begin{description} |
467 | \begin{description} |
| 470 | \item[Description as specification] Behavior and architecture description created independently |
468 | \item[Description as specification] Behavior and architecture description created independently |
| 471 | on the source code serves the role of specification. This has the following primary |
469 | on the source code serves the role of specification. This has the following primary |
| Line 499... | Line 497... | ||
| 499 | |
497 | |
| 500 | \medskip |
498 | \medskip |
| 501 | |
499 | |
| 502 | The key features of software systems with respect to behavior and architecture checkers are the granularity |
500 | The key features of software systems with respect to behavior and architecture checkers are the granularity |
| 503 | of the individual primitive components, the level of isolation and complexity of the communication mechanism |
501 | of the individual primitive components, the level of isolation and complexity of the communication mechanism |
| 504 | between them. Large monolithic OSes created in sematic-poor C present a severe challenge because the |
502 | between them. Large monolithic OSes created in semantic-poor C present a severe challenge because the |
| 505 | isolation of the individual components is vague and the communication between them is basically unlimited |
503 | isolation of the individual components is vague and the communication between them is basically unlimited |
| 506 | (function calls, shared resources, etc.). |
504 | (function calls, shared resources, etc.). |
| 507 | |
505 | |
| 508 | OSes with explicit component architecture and fine-grained components (such as microkernel multiserver |
506 | OSes with explicit component architecture and fine-grained components (such as microkernel multiserver |
| 509 | systems) make the feasibility of the verification much easier, since the degrees of freedom (and thus |
507 | systems) make the feasibility of the verification much easier, since the degrees of freedom (and thus |